What is Digital Forensics?

Computer Forensics/Digital Forensics is a science involving recovering and investigating items found on electronic devices, often performed as part of a legal dispute. Forensic examinations can be performed on nearly any device that contains digitally stored data, including cell phones, laptops, hard drives, servers, thumb drives, SD cards, and even cloud storage.

What is Digital Forensics?

A forensic image (a bit-by-bit copy or cloned image) is a read-only image of an entire storage drive, whatever the type. This image contains all the files and the unallocated or unused space on the hard drive. Making a Forensic Image or copy of a drive ensures that the evidence on the original device remains unaltered. Examinations are performed on the copy only. This is necessary to produce legally admissible evidence.

A forensic image can be made with hardware duplicators or software. If encryption is involved, making a clone can require a live forensic image, which is accomplished by creating a forensic image of the computer while it is still turned on and connected to a network or in use.

What is a forensic copy?

A “forensic copy” is used to collect and preserve active files and is a precise, unaltered copy of the data, including original file metadata, but is not a complete image of the original drive. A forensic copy may be necessary to preserve data from a shared server or cloud storage, where a drive has multiple users or when the drive must remain in use. The downside to a forensic copy is that its use precludes the recovery of deleted files or information because it does not include unallocated or unused space.

What is encryption?

Encryption is a digital process wherein data is converted into a format that cannot be read without a password or key. With the key, all information remains smooth and comprehensible. When encryption is used, a forensic examiner requires the key to decode the data. If the key is not supplied or available, a live forensic image may be the only hope of reading the data since only the active processor can decrypt the data. Encryption is becoming increasingly common for companies who may fear data breaches. Better-known encryption software includes McAfee’s SafeBoot Encryption, Symantec’s Endpoint Encryption, and PGP Whole Disk Encryption. Windows has a built-in encryption program called BitLocker, and Apple’s OS is called File Vault.

Can you recover deleted files?

Most digital devices contain deleted files. A forensic examination can produce a list of deleted files and recover some or all. Sometimes, deleted files cannot be fully recovered if new data overwrites them. When a file is deleted, the section of the hard drive in which the file is located is labeled deleted and is considered “unallocated space” by the system. However, in most cases, the data remains on the drive and is not “visible” to the system. When a device or hard drive under analysis contains no deleted files, this can indicate that some intentional data wiping has occurred or that the operating system has been reinstalled.

What is unallocated Space?

When a forensic image of a drive is made, the unused portion of the drive, which is called “unallocated space,” is included in the copy. Unallocated space can contain portions of data or files that have been deleted. When an operating system overwrites unallocated Space with new data, the original deleted files may no longer be recoverable. Often, however, a quirk in how computers store data allows portions of even these overwritten files to be recovered. Since data storage is divided into tiny sectors, if a smaller file overwrites a larger file, there may be “slack space” or unused Space within that sector, from which fragments of overwritten files can be recovered. This technique is sometimes called “carving unallocated space.”

What is metadata?

Metadata is data about data. It contains information such as a file’s creation date, the dates it has been accessed or modified, and the times. Using specialized forensics software, the author or creator of the data, the number of revisions it underwent, and the last time it was printed can be revealed. Metadata can also identify where and when photos or videos were taken and on what sort of camera or device.

Identifying external devices

Forensic examination can tell us what external devices have been connected to a particular device and when. Most devices produce evidence of their make and model, and some may include unit serial numbers. This can provide a trail to examine other potential devices during an investigation.

How are link files helpful?

Link Files, or Microsoft files with the extension .lnk, can show that a file was present or accessed at some point on a particular system even when that file may no longer exist. A link file is a shortcut that points to an application or a file. The operating system usually creates a link containing essential information, including the file’s original location, metadata, modification dates, and size.

What are the costs of Digital Forensics?

The cost of a forensic examination depends on many factors, from lab time to hardware and software requirements to the scope of the data or files being sought. Because digital forensics is a science, highly skilled examiners and engineers must perform several steps to produce a forensically sound report. This can take time and a significant amount of labor. Enetsec offers clients case-specific pricing to avoid the uncertainty of hourly billing. Once the client provides the parameters and scope of the investigation, Enetsec calculates a flat fee, which will be honored unless the scope of the client’s needs changes.